Cyber security sandbox environment

ABSTRACT

A virtual computing environment cloning method is used to allow rapid repeatable testing of unsupervised machine learning (ML) architectures and algorithms. A virtual reference environment contains a set of virtual devices, user accounts and IP traffic as well as scripted activity and a cyber security appliance including unsupervised ML trained on the scripted activity. A clone creator makes a replica of the environment. Clones can be taken from the reference at any time and more than one can exist simultaneously. Testing that takes place within a clone environment has no effect on the reference environment, including having no effect on the unsupervised ML architectures and algorithms. Clones can be interacted with, and outcomes from testing a clone can be recorded. Clones can be discarded after tests are completed and tests are independent and repeatable.

NOTICE OF COPYRIGHT

A portion of this disclosure contains material that is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the material subject to copyright protection as it appears in the United States Patent & Trademark Office's patent file or records, but otherwise reserves all copyright rights whatsoever.

RELATED APPLICATION

This non-provisional application claims priority to and the benefit of U.S. provisional patent application titled “A CYBER SECURITY APPLIANCE AND OTHER SECURITY TOOLS,” filed Jul. 7, 2021, application No. 63/219,026, which is incorporated herein by reference in its entirety.

FIELD

Embodiments of the design provided herein generally relate to a cyber security detection system. In several embodiments, one or more artificial Intelligence (AI) processes may be implemented with an AI based cyber security system having a clone creator to clone a reference network, one or more reference machine learning algorithms and a reference cyber security appliance.

BACKGROUND

In a cyber security environment, firewalls, security and scanning methods, and other detection and defense tools may be deployed to enforce specific policies in order to provide protection against certain threats on such environment. These tools currently form an important part of an organization's cyber defense strategy, but they are insufficient in the new age of cyber threat. Existing cyber threat protection systems also generally ingest connectivity data to detect cyber threats in a passive way to access simulations of how a cyber threat might impact an organization's defences. For example, an organization may typically hire a human red team of cyber security professionals to test a defense system's vulnerability to cyber-attacks through various passive simulations. However, these human red team security professionals are usually very expensive to hire for most organizations. In addition, the human red team security professionals test the defense systems for one or more generalized vulnerabilities of the organization, without focusing on any specific defense systems, users, or attack simulations, nor offering any customizable attack simulations based on the specific organization and its specific users and entities. Accordingly, these existing tools are failing to deal with new cyber threats because the traditional approach relies on being able to test and identify any vulnerabilities by gathering ingested data through various passive and generalized simulations.

The reality is that modern threats bypass these existing tools and protection systems on a daily basis. Such tools and protection systems need a new tool and protection system based on a new approach that may complement them and mitigate their deficiencies at scale across the entirety of digital organizations. In the complex modern world, it is advantageous that the approach is fully automated as it is virtually impossible for humans to sift through the vast amount of security information gathered each minute within a digital business and then to passively simulate vulnerabilies based on that information. In particular, a protection system that can particularly identify how vulnerable any of those identified simulations is needed. Such that the detection system may be used to identify any specific vulnerabilities in a proactive way that provides full awareness of vulnerabilities to that specific organization in light of its specific users and specific entities instead of the existing detection systems that are being used.

SUMMARY

In an embodiment, an apparatus is disclosed. The apparatus may include a clone creator configured to create a clone for one or more machine learning algorithms of a reference cyber security appliance, and testing out one or more cyber-attacks on the one or more machine learning algorithms. The reference cyber security appliance may include one or more machine learning architectures using the one or more machine learning algorithms. The clone creator is further configured to create a clone network from a reference network in operation. The reference network may include a set of devices, a set of user accounts, and a set of IP packet traffic, and the clone network may include the same set of devices, the same set of user accounts, and the same set of IP packet traffic. The reference network will not be affected by the one or more cyber-attacks that will be unleashed on the clone network and the clone network can be created in a virtual machine environment. The clone creator may further be configured to create a clone cyber security appliance from the reference cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms. The clone cyber security appliance may continue to update weights applied to the one or more machine learning algorithms during a deployment of the one or more machine learning architectures.

In some embodiments, the clone creator is configured to make the clone from the reference network including the set of devices, the set of user accounts, and the set of IP packet traffic, by taking a first snapshot of a disk image including a memory and settings of the set of devices and the set of user accounts being cloned and then store the clone of the reference network in a data store.

In some embodiments, the clone creator is further configured to make the clone from the reference cyber security appliance, that has the one or more machine learning architectures using the one or more machine learning algorithms, by taking a second snapshot of a disk image including a memory and settings including its machine learning weights of the one or more machine learning architectures and then store the clone of the reference security appliance in a data store.

In some embodiments, the clone creator is configured to set up one or more sandbox environments, where each sandbox environment is populated with one or more virtual machines to implement the clone network, including the set of devices, the set of user accounts, the set of IP packet traffic, and a virtual machine configured to implement a reference copy of the cyber security appliance and the one or more machine learning architectures.

In some embodiments, the apparatus further includes a cyber threat creator, where the cyber threat creator is configured to unleash an actual cyber threat attack on the clone network, including the set of devices, the set of user accounts and the set of IP packet traffic. The actual cyber threat is implemented by the one or more virtual machines, which is being protected by the copy of the cyber security appliance and the one or more machine learning architectures.

In some embodiments, the apparatus includes a user interface and a data management module in the clone creator, where the clone creator, the cyber threat creator and the data management module cooperate with a data store and the user interface to record events in the clone cyber security appliance and the clone network. The recorded events may include lateral movement indicative of possible activity and the set of devices and the set of user accounts compromised during the cyber threat attack in the clone network and actions taken by the clone cyber security appliance to detect the cyber threat attack on the clone network, and actions taken by the clone cyber security appliance to mitigate the cyber threat attack. The user interface may further be configured to display, on a display screen, the recorded events to a user and allow a user to watch and observe what is happening in either the reference cyber security appliance and the clone cyber security appliance and the clone network. It should be noted however, that there is no attack being carried out on the reference network, therefore inspecting the events on reference network may not be used to yield anything suspicious and anomalous.

In all embodiments, the cyber threat attack only is applied to the clone network, so the reference network and the reference cyber security appliance remain clean and untainted by the cyber threat attack on the clone network.

According to some embodiments, a method for automated cloning is disclosed.

The method for automated cloning may include configuring a clone creator to create a clone for one or more machine learning algorithms of a reference cyber security appliance, and testing out one or more cyber-attacks on the one or more machine learning algorithms. The reference cyber security appliance may include one or more machine learning architectures using the one or more machine learning algorithms. The method for automated cloning may further include configuring the clone creator to create a clone network from a reference network in operation. The reference network may include a set of devices, a set of user accounts, and a set of IP packet traffic, and the clone network includes the same set of devices, the same set of user accounts, and the same set of IP packet traffic. The reference network will not be affected by the one or more cyber-attacks that will be unleashed on the clone network, and the clone network can be created in a virtual machine environment. The method for automated cloning can further include configuring the clone creator to create a clone cyber security appliance from the reference cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms. The clone cyber security appliance may continue to update weights applied to the one or more machine learning algorithms during a deployment of the one or more machine learning architectures.

In some embodiments, the method for automated cloning may include configuring the clone creator to make the clone from the reference network including the set of devices, the set of user accounts, and the set of IP packet traffic, by taking a first snapshot of a disk image including a memory and settings of the set of devices and the set of user accounts being cloned and then store the clone of the reference network in a data store.

In some embodiments, the method for automated cloning may include configuring the clone creator to make the clone from the reference cyber security appliance, that has the one or more machine learning architectures using the one or more machine learning algorithms, by taking a second snapshot of a disk image including a memory and settings including its machine learning weights of the one or more machine learning architectures and then store the clone of the reference security appliance in a data store.

In some embodiments, the method for automated cloning may include configuring the clone creator to set up one or more sandbox environments. Each sandbox environment may be populated with one or more virtual machines to implement the clone network, including the set of devices, the set of user accounts, the et of IP packet traffic, and a virtual machine configured to implement a reference copy of the cyber security appliance and the one or more machine learning architectures.

In some embodiments, the method for automated cloning may include configuring a cyber threat creator to unleash an actual cyber threat attack on the clone network, including the set of devices, the set of user accounts and the set of IP packet traffic, wherein the actual cyber threat is implemented by the one or more virtual machines, which is being protected by the copy of the cyber security appliance and the one or more machine learning architectures.

In some embodiments, the method for automated cloning may include configuring a user interface and a data management module in the clone creator. The clone creator, the cyber threat creator and the data management module may cooperate with a data store and the user interface to record events in the clone cyber security appliance and the clone network. The recorded events may include lateral movement indicative of possible activity and the set of devices and the set of user accounts compromised during the cyber threat attack in the clone network and actions taken by the clone cyber security appliance to detect the actual cyber threat attack on the clone network, and actions taken by the clone cyber security appliance to mitigate the actual cyber threat attack. It should be noted however, that there is no attack being carried out on the reference network, therefore inspecting the events on reference network may not be used to yield anything suspicious and anomalous.

In some embodiments, the method for automated cloning may include configuring the user interface to display, on a display screen, the recorded events to a user and allow a user to watch and observe what is happening in the clone cyber security appliance and the clone network. The reference network and the reference cyber security appliance may remain clean and untainted by the actual cyber threat attack on the clone network.

According to yet another embodiment, a non-transitory computer readable medium in an apparatus is disclosed. The one or more computer readable codes may be operable, when executed by one or more processors, to instruct a clone creator configured to reside on the apparatus to perform the method of automated cloning.

These and other features of the design provided herein may be better understood with reference to the drawings, description, and claims, all of which form the disclosure of this patent application.

BRIEF DESCRIPTION OF DRAWINGS

The above, and other, aspects, features, and advantages of several embodiments of the present disclosure will be more apparent from the following description as presented in conjunction with the following several figures of the drawings. The drawings refer to embodiments of the present disclosure in which:

FIG. 1 illustrates a block diagram of an AI based cyber security system and a clone creator configured to cooperate with a cyber security appliance to clone one or more reference networks, in accordance with an embodiment of the disclosure.

FIG. 2 illustrates a block diagram of an AI based cyber security system and a clone creator configured to cooperate with a cyber security appliance to clone a plurality of endpoint computing devices and internal servers that are communicatively coupled to a reference network, in accordance with an embodiment of the disclosure.

FIG. 3 illustrates a block diagram of a cyber security appliance with various modules cooperating with various machine learning models trained on the discrete pattern of life of one or more email and network connectivity and behavior pattern data, in accordance with an embodiment of the disclosure.

FIG. 4 illustrates an exemplary graph of a cyber threat-infested clone network used to illustrate possible effect of the cyber threat on the network, in accordance with an embodiment of the disclosure.

FIG. 5 illustrates a block diagram of a graph depicting one or more events and alerts triggered by any detected unusual email and network connectivity and behaviour patterns, in accordance with an embodiment of the disclosure.

FIG. 6 illustrates a block diagram of an embodiment of one or more computing devices that can be a part of the AI based cyber security system in accordance with an embodiment of the disclosure.

FIG. 7 illustrates a block diagram of creating a clone network by the clone creator in accordance with an embodiment of the disclosure.

FIG. 8 illustrates a block diagram of infecting a clone network by a cyber-threat in accordance with an embodiment of the disclosure.

FIG. 9 illustrates a block diagram of updating the reference network based on a clone network with potential changes to a cyber security appliance, its machine learning algorithms, a set of devices and traffic data in accordance with an embodiment of the disclosure.

While the design is subject to various modifications, equivalents, and alternative forms, specific embodiments thereof have been shown by way of example in the drawings and will now be described in detail. It should be understood that the design is not limited to the particular embodiments disclosed, but—on the contrary—the intention is to cover all modifications, equivalents, and alternative forms using the specific embodiments.

DESCRIPTION

In the following description, numerous specific details are set forth, such as examples of specific data signals, named components, number of servers in a system, etc., in order to provide a thorough understanding of the present design. It will be apparent, however, to one of ordinary skill in the art that the present design may be practiced without these specific details. In other instances, well known components or methods have not been described in detail but rather in a block diagram in order to avoid unnecessarily obscuring the present design. Further, specific numeric references such as a first server, may be made. However, the specific numeric reference should not be interpreted as a literal sequential order but rather interpreted that the first server is different than a second server. Thus, the specific details set forth are merely exemplary. Also, the features implemented in one embodiment may be implemented in another embodiment where logically possible. The specific details may be varied from and still be contemplated to be within the spirit and scope of the present design. The term coupled is defined as meaning connected either directly to the component or indirectly to the component through another component.

In general, the embodiments described herein include an artificial intelligence based cyber security system and method for automated cloning, which are used to protect an organization such as a company, a client, etc., and all of the entities of the organization (e.g., such entities may be any email and network devices, endpoint devices, network servers and databased, network addresses, user agents, domain addresses, file directories, communication ports, analysts, end users, etc.). On a high-level, the artificial intelligence-based cyber security system can take a snapshot of portions of a network environment, which can be used to create one or more clones of existing system to test specific scenarios without compromising the existing system's learning.

In various embodiments, the AI based cyber security system works by having one network bundled up in what is called the “reference network”. This is the baseline for all sandbox environments and is normally inaccessible by outside users. The clone network can be composed of one or more client machines which have fake user activity scripted on them, as well as at least one domain controller, a VSensor and one or more servers required for the cyber security appliance cSensor infrastructure to operate. The devices can be connected to the internet via a NAT gateway, which can hide the entire clone network from the outside world.

According to several embodiments, the clone creator can enable extremely rapid testing of systems and networks which involve real-time machine learning training in such a way that the machine learning algorithms can be trained while the machine learning algorithms are operating. Such real-time training can allow the users, e.g., network administrators, to rapidly examine, i.e., evaluate/assess, the machine learning algorithms that are operating. Thus, several embodiments of the present disclosure can enable independent testing of the machine learning algorithms and their effectiveness, and further determine the effect of each possible cyber threat on the clone network without disrupting the reference network. In other words, and from the user's standpoint, the user can be allowed to do real-time, i.e., live, machine learning training on the clone version of the reference network, without affecting the reference network, the reference machine learning algorithms and the weights associated with the machine learning algorithms. In some embodiments, the clone creator can create portions of the reference network.

In case of cyber security appliances that rely heavily on unsupervised machine learning, if something happens on the network, the machine learning algorithms will “remember” it. Hence, every subsequent run of the same code will produce different results in the user interface of the cyber security appliance. In order to solve this reproducibility problem, the cyber security sandbox environment disclosed herein clones the entire network of virtual machines, including a copy of the cyber security appliance, the machine learning algorithms, the user devices and the IP packet traffic, and then isolates the clone network, and unleashes the cyber threats in the clone network. This means that upon creating the clone network in sandbox environment, the machine learning algorithms will remember only the normal functioning of the reference network, and there will be no trace of the testing captured by the unsupervised machine learning.

Referring now to FIG. 1 , the AI cyber threat security system 100 with a clone creator 105 communicatively coupled to a cyber security appliance 120 (“the reference cyber security appliance”), an open source (OS) database server 122, one or more endpoint computing devices 101A-B, and a network defense system 125 with one or more entities 130-142, over one or more networks 110/112 (“reference network”), is shown, in accordance with an embodiment of the disclosure. As described above, the clone creator 105 is configured to act on the entire network, the cyber security appliance 120 and the one or more machine learning algorithms to clone them. The clone creator is further configured to 1) create a clone of one or more machine learning architectures and their corresponding one or more machine learning algorithms from a reference cyber security appliance, 2) create a clone network from the reference network in operation, 3) create a clone cyber security appliance from the reference cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms and machine learning architectures from the reference cyber security appliance, and 4) test out one or more cyber-attacks on the clone network. In some embodiments, the clone creator 105 can be a standalone device that is not part of the environment like the cyber security appliance 120, rather the clone creator 105 can sit above all of the distinct environments that each have its own cyber security appliance 120 within and manages them.

In several embodiments, the reference cyber security appliance 120 can include one or more architectures using the one or more machine learning algorithms that continue to update weights applied to its machine learning during a deployment of that machine learning architecture.

The reference network can include a set of devices, a set of user accounts, and a set of IP packet traffic, and the clone network can include a set of devices corresponding to the set of devices in the reference network, and copies of the set of user accounts and the set of IP packet traffic.

The clone network can be subject to an automatic cyber attack unleashed by the clone creator 105. The machine learning algorithms can respond to the cyber attack and attempt to detect and/or prevent it. The reference network and its devices, user accounts, and IP packet traffic will not be affected by the one or more cyber-attacks that will be unleashed on the clone network, wherein the clone network is created in a virtual machine environment.

The AI cyber threat security system 100 can further configure a user interface to cooperate with the clone creator to convey results of the one or more cyber-attacks on the clone network and analysis by the clone cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms recorded during the one or more cyber-attacks.

According to some embodiments, the clone creator 105 can create the virtual network, i.e., the clone network, based on the reference network. That is, the clone creator 105 can create the virtual network so that the clone network mirrors the reference network. The clone creator 105 can create one or more virtual machines inside the clone network, where each virtual machine is an exact copy of a reference machine of user device in the reference network with the same IP addresses, hostnames, etc.

In some embodiments, in order to clone, i.e., duplicate, from the reference network, the clone creator 105 can duplicate the set of devices, user accounts, and IP packet traffic of the reference network, by taking a snapshot of a disk image which includes a memory and settings of the set of devices and the set of user accounts being cloned. The clone creator 105 can further store the clone of the reference network in a data store. It should be noted that in some embodiments, the clone creator 105 does not take a clone of the entire physical environment, but merely of a fully-virtualised environment designed with enough portions of the virtualised environment corresponding to the actual physical environment to practice and deliberate a test/demonstration for that network.

In order to create a clone network, the clone creator can duplicate, i.e., mimic, the reference network including all the user devices inside the reference network, all the user devices' configurations, all users' activities and all the reference network traffic. Thus, once the clone creator 105 creates the clone network, there can be two identical copies of reference network: the actual reference network, and the clone network. Further, the clone creator 105 can create the machine learning algorithms that are operating within the reference network. Once the reference network is completely duplicated with all the components, i.e., all the user devices inside the reference network, all the user devices' configurations, all users' activities and all the reference network traffic), then the reference network is left intact and the clone network can begin operation on the clone network. It is worth noting that, until the cyber threat is applied, the reference network and the clone network are the same.

Additionally, in some embodiments, in order to clone, i.e., duplicate, from the reference cyber security appliance, the clone creator 105 can make the clone that has the one or more machine learning architectures using the one or more machine learning algorithms, by taking a snapshot of a disk image which can include a memory and settings including its machine learning weights of the one or more machine learning architectures. Similarly, the clone creator 105 can store the clone of the reference network in the data store.

The cyber threat can be applied to the clone network and all events that take place within the clone network can be recorded to determine what the cyber threat will do to the clone network. Put it differently, the clone creator 105 can take a snapshot of the exact memory and disk of every machine, user device, traffic, etc. that is running in the reference network and start the clone network along with the reference network. In several embodiments, the clone creator 105 can create multiple clone networks and one or more clone networks can run different cyber threats. This way, several cyber threats can be evaluated simultaneously by the clone networks which are identical to the reference network. In some embodiments, the reference network will not be affected by the one or more cyber attacks that will be unleashed on the clone network.

The cyber threat can be a simple single-stage attack or a complicated multistage attack, such as a ransomware. The cyber threat can run exclusively on the clone networks, which are running independent of each other and of the reference network. As a result, regardless the effect of a particular cyber threat on the clone networks it is running in, other clone networks and the reference network are not affected in any way by that particular cyber threat.

While the cyber threat is applied to the clone network and is running on the clone network, the machine learning algorithms are being trained, i.e., learning, how to deal with cyber threat in future. However, the reference machine learning algorithms running within the reference network are still intact. Once the cyber threat is evaluated, the clone network in which the cyber threat was running can be discarded. The clone creator can create a new clone network and the next cyber threat can be applied to the new clone network.

In some embodiments, the user may be interested in evaluating the effect of the cyber threat on a component that may not be part of the reference network. The clone creator can then create fake component, e.g., external infrastructure, that resembles actual network components. For example, the clone creator can operate servers that intercept traffic intended for public IP addresses, appearing to the clone as though it is contacting the public internet. Therefore, the clone creator can evaluate the effect of the cyber threat on the website despite the fact that the clone network does not own the website. Thus, the user can evaluate the effect of the cyber threat on components that are not even parts of the clone network.

In several embodiments, the clone network can be created in a virtual machine environment. Unlike simulation methods which are mainly focused on taking a real environment and figuring out possible cyber threats and their possible damages to the environments, present disclosure can facilitate performing repeatable tests against machine learning algorithms that are actively monitoring a network that is acting “normally”.

As noted above, the clone networks can operate within a sandbox environment. That is, the clone network, i.e., the virtual network, that the clone creator creates can be isolated from the vital infrastructure of the business, while being connected to the Internet. Sandboxes are widely used to test code, malware or any software in a safe manner. This way, whenever things go wrong, the user can delete the sandbox, create a new sandbox and start over. A simple approach to this would be to have a cyber security appliance hooked up to one or more virtual machines that the user can reset on demand.

In order to create a sandbox environment, the clone creator 105 can create a clone network which is made of the entire reference network, that can include the servers and the cyber security appliance, carrying over the historic data. Importantly, all machines within the clone network have the same (local) IP addresses as in the reference network, therefore no data is lost, and all virtual machines are picked up without any issues.

Furthermore, there can be multiple clone networks running concurrently, allowing for multiple users to run tests concurrently. In addition to that, the clone networks created are protected by default, i.e., only the user asking for a sandbox (and the admin) can access the clone network.

In some embodiments, the clone network can be connected to an internal network, e.g., an intranet, associated with the user. The user can connect to the internal, cloned network from the outside to carry out some actions, such as downloading a file, running an application or accessing the monitoring appliance. Additionally, the user can utilize the internal network to make any desired changes to the clone network.

In some embodiments, the clone creator 105 can set up one or more sandbox environments. Each sandbox environment can be populated with one or more virtual machines to implement the clone network. Thus, the sandbox environment can include the set of devices, the set of user accounts, the set of IP packet traffic, and a virtual machine which can implement a reference copy of the cyber security appliance and the one or more machine learning architectures. Creating a clone version of the network and running possible cyber threats in a sandbox environment can facilitate performing an actual cyber security threat, i.e., attack, and evaluating what would happen to the network and its components, i.e., devices, accounts, etc. and what the damages would be.

The present disclosure can further allow various cyber threats to run inside the clone network in a sandbox environment. The clone creator can unleash the cyber threat in the clone network in the form of a software attack and then look for any security vulnerabilities, risks, threats, and/or weaknesses potentially gaining access to one or more features and data of that specific user/device/entity.

To that end, the clone creator 105 can include a cyber threat creator. The cyber threat creator can unleash an actual cyber threat attack on the clone network, including the set of devices, the set of user accounts and the set of IP packet traffic. The actual cyber threat may act upon the clone network of devices. The one or more virtual machines can be protected by the copy of the cyber security appliance and the one or more machine learning architectures. In some embodiments, while the cyber threat is running, the AI based cyber security system 100 can make desired changes in response to the cyber threat in the clone network.

In several embodiments, the clone cyber security appliance can continue to update weights applied to the one or more machine learning algorithms during a deployment of the one or more machine learning architectures.

In various embodiments, the clone network operates independent of the reference network. As such, anything that occurs inside the clone networks cannot affect the reference network, e.g., there is no feedback.

In some embodiments, the AI based cyber security system 100 can include a user interface and a data management module residing in the clone creator 105. The clone creator 105, the cyber threat creator and the data management module can cooperate with the data store and the user interface to record events in the clone cyber security appliance 120 and the clone network. The recorded events can include lateral movement and the set of devices and the set of user accounts compromised during the actual cyber threat attack in the clone network and actions taken by the clone cyber security appliance 120 to detect the actual cyber threat attack on the clone network, and actions taken by the clone cyber security appliance to mitigate the actual cyber threat attack.

In some embodiments, the user interface can be an application program interface. By recoding the clone network in operation, the user can monitor the events occurring inside the clone network in real-time while the clone network is running.

The user interface can further display, on a display screen, the recorded events to a user and allow a user to watch and observe what is happening in the clone cyber security appliance and the clone network.

In some embodiments, the machine learning algorithms can learn from the repeatable, independent testing performed by the clone networks. The results can further be used to determine the automatic response of the system in countering future cyber threats.

In some embodiments, the machine learning algorithms running on the clone network can be changed and the cyber threat can be run on the clone network. If the results of the machine learning algorithms in countering the cyber threats is satisfactory, the machine learning algorithms can be redeployed to the reference network. However, the reference network has no knowledge of the cyber threat.

Accordingly, an environment where repeatable cyber-attacks can be carried out is created, without the trouble of retraining the Artificial intelligence algorithms.

As such, the endpoint devices 101A-B may be accessible and communicatively coupled to the clone creator 105, the cyber security appliance 120, and/or the entities 130-142 in the network defense system 125 via the network 110, the second firewall (FW-2) (or the front-end firewall FW-2), and the network 112. For example, as shown in FIG. 1, it should be observed that the endpoint devices 101A-B may communicate with the one or more entities 130-142 in the network defense system 125 respectively through each of the first and second firewalls FW-1/FW-2 as well as each of the first and second networks 110/112. Similarly, the clone creator 105 may communicate with the entities 130-142 in the network defense system 125 via the network 110 (e.g., the Internet), the front-end firewall FW-2, and then the network 112.

Furthermore, the endpoint devices 101A-B may be communicatively coupled to the cyber security appliance 120 via the first firewall defense (FW-1) and the first network 110, and to any of the entities 130-142 in the network defense system 125 via the second firewall FW-2 and the second network 112. In most embodiments, each of the devices 101A-B may be resident of its own respective host endpoint agents (e.g., as shown with the host endpoint agents 211A-B on the endpoint computing devices 201A-B depicted in FIG. 2 ). The endpoint devices 101A-B may include, but are not limited to, a mobile phone, a tablet, a laptop, a desktop, Internet of Things (IoT) appliance, and/or the like. Moreover, the endpoint devices 101A-B may be any variety of computing devices capable of cooperating with each other and/or with any of the entities, devices, networks, and so on, over any of the networks 110/112. In several embodiments, the endpoint device 101A may be configured to operate substantially similar to the endpoint device 101B. However, in other embodiments, the endpoint device 101A may be configured to operate different from the endpoint device 101B based on different user roles, permissions, hierarchical relationships, peer groups, etc., in that organization. The endpoint devices 101A-B may include host agents having multiple modules configured to cooperate with each other.

In some embodiments, the networks 110/112 may be implemented as an informational technology network, an operational technology network, a cloud infrastructure, a SaaS infrastructure, a combination thereof, and/or any other type of network capable of communicatively coupling one or more entities/endpoint devices to one or more other entities/endpoint devices. For example, at least one or more of the networks 110/112 may also include one or more networks selected from, but not limited to, an optical network, a cellular network, the Internet, a Local Area Network (LAN), a Wide Area Network (WAN), a satellite network, a cloud-based network, a fiber network, a cable network, any combinations thereof, and/or any other communications network capable of communicatively coupling the one or more endpoint devices 101A-B, the AI clone creator 105, and/or the cyber security appliance 120 to the OS database server 122 and any of the other entities (or servers) 130-142. Furthermore, in some embodiments, the network 110 may be an OT network and/or the like (e.g., the Internet), while the network 112 may be an IT network and/or the like.

The clone creator may include multiple modules configured to cooperate with each other in conjunction with one or more modules residing in the endpoint devices 101A-B, and/or the various entities 130-142 in the network defense system 125. Furthermore, as described below in greater detail in FIG. 3 , the clone creator may include the one or more modules to communicate triggered response(s), if any, with the users associated with those respective endpoint devices 101A-B. Whereas, other modules of the cyber security appliance 120 may be used to display data, metrics, etc., regarding other host endpoint agents residing on other respective local endpoint computing devices, where such data may be unified as translated data from those endpoint computing devices and the endpoint devices 101A-B.

For example, the cyber security appliance 120 may use the at least one or more AI/machine learning models to analyze the pattern of life data for each endpoint device 101A-B and/or each entity 130-142, where each endpoint device 101A-B and entity 130-142 may be communicatively connected to one or more application programming interfaces (APIs) hosted by the cyber security appliance 120. This allows the cyber security appliance 120 to implement those AI/machine learning models trained on the respective endpoint computing devices 101A-B and entities 130-142 to: (i) analyze the collected pattern of life data for the respective host endpoint agents and the respective entity modules connected to the respective APIs hosted by the cyber security appliance 120; and (ii) then compare that analyzed pattern of life data against a normal pattern of life observed for those respective endpoint computing devices 101A-B and entities 130-142. Accordingly, this cooperation between the cyber security appliance 120 and the endpoint devices 101A-B and entities 130-142 may be used to protect against any unusual cyber security threats that may arise from malicious processes which cause unusual network traffic, etc.

As described above, the network defense system 125 may include one or more entities 130-142 depicted as one or more servers (or content-based server machines). The network defense system 125 may be implemented to protect all the entities 130-142 and any other entities. For example, the AI cyber security system 100 may configure the network defense system 125 to protect all of the respective entities 130-142, external/internal email network(s), network-based entities (e.g., such as internal networking databases), and/or any other external/internal network systems.

As shown in FIG. 1 , the network entities 130-142 in the network defense system 125 may be accessible to the clone creator 105, the cyber security appliance 120, and/or the endpoint devices 101A-B, respectively via the network 110, the firewall FW-2, and the network 112. Furthermore, it should be noted that the endpoint devices 101A-B may communicate with the entities 130-142 in the network defense system 125 through both firewalls FW-1/FW-2 and both networks 110-112. Similarly, the clone creator 105 may access any of the respective entities 130-142 in the network defense system 125 via the network 110 (e.g., the Internet), the front-end firewall FW-2, and the network 112. Furthermore, the entities 130-142 may be connectable via the front-end firewall FW-2 and network 112 by having certain associated logging capabilities.

As shown in FIG. 1 , the entities 130-142 residing in the network defense system 125 may include, but are not limited to, a communication server 130, a domain name server (DNS) 132, a web server 134, an email server 136, a proxy server 138, an FTP Server 140, and a file server 142. Similarly, any other entities (not shown) may be part of and reside in the network defense system 125, which may be relevant to collect data, store data, transfer data, and so on, such as an anti-virus server, a router, a gateway, and/or the like. Each of the entities 130-142 may be connectable via an internal client network such as the network 112. In some embodiments, more than one or more of the entities 130-142 may be associated with its own internal client network (not shown), where each client network may represent an organizational sub-section, department, peer group/team, and so on. Optionally, various of these internal client networks may be further protected behind one or more other internal firewalls (not shown).

Furthermore, as described above, the OS database server 122 may be connectable and used to periodically query, search, and retrieve specific data (or data points) pertaining to the organization and all its entities.

The AI based cyber security system 100 may include and cooperate with one or more AI models trained with machine learning on the contextual knowledge of the organization. These trained AI models may be configured to identify data points from the contextual knowledge of the organization and its entities, which may include, but is not limited to, language-based data, email/network connectivity and behavior pattern data, and/or historic knowledgebase data.

Referring now to FIG. 2 , an AI based cyber security system 200 with a clone creator 105 communicatively coupled over a network 110 with at least one or more of a cyber security appliance 120, host endpoint agents 211A-D, endpoint computing devices 201A-D, and/or entities 122/130/136 is shown, in accordance with an embodiment of the disclosure. Similar to the clone creator 105 depicted above in FIG. 1 , the AI based cyber security system 200 may implement the clone creator 105 depicted in FIG. 2 to clone any of the depicted agents 211A-D, devices 201A-D, and/or entities 130/136 via the one or more secure communication channels established with the network 110. In several embodiments, as described above, the cyber security appliance 120 may be configured to receive any collected email and network activities and behavior pattern data from any of the endpoint devices 201A-D, the host endpoint agents 211A-D, and/or the entities 130/136. Such host endpoint agents 211A-D may be located and executed on the respective endpoint computing devices 201A-D. In some embodiments, the clone creator 105 can be configured to clone the cyber security appliance 120.

The AI based cyber security system 200 depicted in FIG. 2 may be substantially similar to the AI based cyber security system 100 depicted in FIG. 1 . As such, in most embodiments, the endpoint devices 211A-D, the network 110, the clone creator 105, the AI based cyber security appliance 120, and the entities 130/136 depicted in FIG. 2 may be substantially similar to the endpoint devices 101A-B, the network 110 (and/or the network 112), the clone creator 105, the AI based cyber security appliance 120, and the entities 130/136 depicted and described in great detail above in FIG. 1 .

In some embodiments, the host endpoint agents 211A-D may be configured to reside on their respective endpoint devices 201A-D and to: (i) have a low system impact on their respective endpoint devices 201A-D and runs without degrading its performance significantly; (ii) monitor the “pattern of life” of their respective endpoint devices 201A-D (e.g., including monitoring at least one or more of: (a) process behavior (use of network, filesystem, etc.), (b) relationships between processes (parent/child, shared files, IPC, etc.), and/or (c) user behavior (applications commonly used, IT habits, etc.); (iii) make reports on pattern of life metadata, events and alerts to an API whenever connected to the internet or LAN, and while offline, cache data to deliver when possible; (iv) assist in performing IT audits while also completing pattern of life data and events (e.g., including assisting in at least one of more of: (a) audit system details, for example installed operating systems, installed software, software versioning, security update status, etc.; (b) gather system usage activity such as shutdown periods, login failures, file modifications, network connections, etc.; and/or (c) record use of external devices or transfer protocols (e.g., USB usage, Bluetooth usage, email usage, etc.); and/or (v) lastly react autonomously to anomalies in pattern of life (e.g., including responding with at least one or more actions to: (a) cooperate with the appliance 120 with its significantly greater processing power, sets of models including, for example, pulling when available, any actions to be taken and/or be able to take a limited set of actions when a connection to the cyber defense system 200 is not available; (b) provide an operator with the ability to enable the respective host endpoint agents 211A-D to perform a select number of relatively simple actions, when predefined conditions of suspicious behavior and/or anomaly scores/levels are met, independent of the cyber defense appliance; and/or (c) simple and default actions such as actions to prompt user, quarantine a suspicious process (from network access and process as well as internal computing device's process and filesystem), shutdown the offending processes, and so on).

The communications network may connect one or more server computing systems selected from at least a first server computing system and a second server computing system to each other and to at least one or more client computing systems as well. The server computing systems may each optionally include organized data structures such as databases. Each of the one or more server computing systems may have one or more virtual server computing systems, and multiple virtual server computing systems may be implemented by design. Each of the one or more server computing systems may have one or more firewalls and similar defenses to protect data integrity.

At least one or more client computing systems for example, a mobile computing device (e.g., smartphone with an Android-based operating system) may communicate with the server(s). The client computing system may include, for example, the software application or the hardware-based system in which may be able exchange communications with the first electric personal transport vehicle, and/or the second electric personal transport vehicle. Each of the one or more client computing systems may have one or more firewalls and similar defenses to protect data integrity.

A cloud provider platform may include one or more of the server computing systems. A cloud provider may install and operate application software in a cloud (e.g., the network such as the Internet) and cloud users may access the application software from one or more of the client computing systems. Generally, cloud users that have a cloud-based site in the cloud may not solely manage a cloud infrastructure or platform where the application software runs. Thus, the server computing systems and organized data structures thereof may be shared resources, where each cloud user is given a certain amount of dedicated use of the shared resources. Each cloud user's cloud-based site may be given a virtual amount of dedicated space and bandwidth in the cloud. Cloud applications may be different from other applications in their scalability, which may be achieved by cloning tasks onto multiple virtual machines at run-time to meet changing work demand. Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user, who sees only a single access point.

Cloud-based remote access may be configured to utilize a protocol, such as hypertext transfer protocol (“HTTP”), to engage in a request and response cycle with an application on a client computing system such as a web-browser application resident on the client computing system. The cloud-based remote access may be accessed by a smartphone, a desktop computer, a tablet, or any other client computing systems, anytime and/or anywhere. The cloud-based remote access may be configured to engage in: the request and response cycle from all web browser based applications; the request and response cycle from a dedicated on-line server; the request and response cycle directly between a native application resident on a client device and the cloud-based remote access to another client computing system; and/or combinations thereof.

In an embodiment, the server computing system may include a server engine, a web page management component, a content management component, and a database management component. The server engine may perform basic processing and operating system level tasks. The web page management component may handle creation and display, or routing of web pages or screens associated with receiving and providing digital content and digital advertisements. Users (e.g., cloud users) may access one or more of the server computing systems by means of a uniform resource locator (URL) associated therewith. The content management component may handle most of the functions in the embodiments described herein. The database management component may include, but is not limited to, storage and retrieval tasks with respect to the database, queries to the database, storage of data, and so on.

In some embodiments, a server computing system may be configured to display information in a window, a web page, or the like. An application including any program modules, applications, services, processes, and other similar software executable when executed on, for example, the server computing system, may cause the server computing system to display windows and user interface screens in a portion of a display screen space. With respect to a web page, for example, a user via a browser on the client computing system may interact with the web page, and then supply input to the query/fields and/or service presented by the user interface screens. The web page may be served by a web server, for example, the server computing system, on any hypertext markup language (HTML), wireless access protocol (WAP) enabled client computing system (e.g., the client computing system), and/or any equivalent thereof.

The client computing system may host a browser and/or a specific application to interact with the server computing system. Each application has a code scripted to perform the functions that the software component is configured to carry out such as presenting fields to take details of desired information. Algorithms, routines, and engines within, for example, the server computing system may take the information from the presenting fields and put that information into an appropriate storage medium such as a database (e.g., database). A comparison wizard may be scripted to refer to a database and make use of such data. The applications may be hosted on, for example, the server computing system and served to the specific application or browser of, for example, the client computing system. The applications then serve windows or pages that allow entry of details.

Referring now to FIG. 3 , a cyber security appliance 120 with various modules cooperating with various AI/machine learning models trained on various observed data points is shown, in accordance with an embodiment of the disclosure. The cyber security appliance 120 may include components one or more modules, stores, and/or components, including, but not limited to, a trigger module, a gather module (or a collections module), a data store, a host module, a user interface and display module, an autonomous response module, at least one input or output (I/O) port to securely connect to other network ports as required.

Furthermore, the cyber security appliance 120 may include one or more AI and machine learning models such as, but not limited to, a first set of AI models (i.e., the AI model network pattern of life) trained different aspects of the network including users, devices, system activities and interactions between entities in the system, and other aspects of the system; a second set of AI models (i.e., the AI model host pattern of life) trained on pattern of life of host/endpoint computing devices hosting instances of the respective endpoint agents (e.g., trained on the pattern of life pertaining to the endpoint devices 101A-B) including: the users, the multiple software processes, relationships between the software processes, device operation, operating system configuration changes, and other such aspects; a third set of AI models (i.e., the AI model potential cyber threats) trained on any variety of potential cyber threats; and one or more other types of AI models (i.e., the AI model normal pattern of life), each trained on different types of computing devices and operating systems for each type of particular computing device, and other aspects of the systems, as well as other similar components in the cyber security appliance 120. The one or more modules utilize probes to interact with entities in the network (e.g., as described above with the probes depicted in FIG. 3 ). It should be noted that many of these modules shown in FIG. 3 are substantially similar to the respective modules used in the endpoint devices 101A-B and/or the cyber security appliance 120 described above in FIGS. 1-3 , such that those respective modules may be referenced herein without any limitation.

The trigger module may detect time stamped data indicating one or more events and/or alerts from unusual and/or suspicious behavior/activity that are occurring and may then trigger that something unusual is happening. Accordingly, the gather module may be triggered by specific events and/or alerts of anomalies, such as an abnormal behavior, a suspicious activity, and/or any combination thereof. The inline data may be gathered on the deployment from a data store when the traffic is observed. The scope and wide variation of data available in the data store results in good quality data for analysis. The collected data may be passed to the various modules as well as to the data store.

The gather module (or the collections module) may comprise of multiple automatic data gatherers that each look at different aspects of the data depending on the particular hypothesis formed for the analyzed event and/or alert. The data relevant to each type of possible hypothesis will be automatically pulled from additional external and internal sources. Some data is pulled or retrieved by the gather module for each possible hypothesis from the data store. A feedback loop of cooperation may occur between the gather module and the various modules including, but not limited to, the network module, the host endpoint agent coordinator module, the communications module, the cyber threat module, and/or the researcher module.

In addition, the coordination occurs between the above modules and the one or more AI models trained on different aspects of this process. The cyber threat module may cooperate with the network module and the host endpoint agent coordinator module to identify cyber threats based on analysis and determinations by the analyzer module, the anomaly score module, and such. Each hypothesis of typical cyber threats may have various supporting points of data and other metrics associated with that possible threat, such as a human user insider attack, inappropriate network behavior, inappropriate behavior in a particular endpoint computing device, etc. The AI/machine-learning algorithm may look at the relevant points of data to support or refute that particular hypothesis of what the suspicious activity or abnormal behavior related for each hypothesis on what the suspicious activity or abnormal behavior relates to. Networks may have a wealth of data and metrics that may be collected. The gatherer modules may then filter or condense the mass of data down into the important or salient features of data. In an embodiment, the various modules may be combined or kept as separate modules.

The network module and/or the communications module may receive data on the network from the set of probes. For example, each host endpoint agent 101A-B may communicate and exchanges information with the cyber security appliance 120. The network and/or communications modules may reference any of the various available AI machine learning models. The endpoint agent coordinator module may reference one or more of the AI models, using machine learning and Artificial Intelligence algorithms, that are trained on a normal pattern of life of that endpoint computing device with that host endpoint agent 101A-B. The network module may also reference one or more AI/machine learning models, using machine learning and AI algorithms, that are trained on a normal pattern of life of the network.

A researcher module (or a comparator module) may compare the received data on the network and/or the endpoint devices 101A-B to the normal pattern of life for these individual entities and others in the wider network context in order to detect anomalies and any future potential cyber threats. Note that, once the normal pattern of life has been learned by the models, the network module, the endpoint agent coordinator module, and/or the researcher module may readily identify the anomalies in the normal pattern of life and thus any unusual behaviors from the devices, users, or other aspects of the network and its associated host/endpoint computing devices. Also note that, once the normal pattern of life has been learned by the models, any other modules may be configured to cooperate together to readily identify the anomalies in the normal pattern of life and thus any unusual behaviors from the devices, users, or processes of the network and so on.

The coordinator module may analyze and integrate both activities occurring in the network as well as activities occurring internally within each end-point computing-device at the same time when analyzing the detected anomalies in the normal pattern of life in order to detect the cyber threat. For example, each host endpoint agent may provide pattern of life data to the cyber defense appliance so it may derive pattern of life for each end-point computing-device.

The graphical user interface may display metrics, alerts, and events of both the network in light of activities occurring in endpoint computing device on a common display screen. The graphical user interface allows a viewer to visually contextualize the metrics, alerts, and/or events occurring in the network in light of the activities occurring in the end-point computing-devices on the common display screen. The graphical user interface also allows a viewer to then to confirm the detected cyber threat in view of what is happening in the network as well as in the endpoint computing devices.

The cyber threat module may compare one or more of the detected anomalies by referencing one or more machine learning models trained on, at least, the cyber threat. Multiple AI/machine learning models may be trained, each model trained on a category of cyber threats and its corresponding members or each model trained on its own specific cyber threat. The cyber threat module cooperates and communicates with the other modules.

The cyber security appliance 120 may supplement the data provided to the users and cyber professionals using a researcher module. The researcher module may use one or more artificial intelligence algorithms to assess whether the anomalous activity has previously appeared in other published threat research or known lists of malicious files or Internet addresses. The researcher module may consult internal threat databases or external public sources of threat data. The researcher module may collect an outside data set describing at least one of an action or a state related to the cyber threat present outside of the network from at least one data source outside the network.

The cyber security appliance 120 may then take actions in response to counter detected potential cyber threats. The autonomous response module, rather than a human taking an action, may be configured to cause one or more rapid autonomous actions in response to be taken to counter the cyber threat. In some embodiments, the user interface for the response module may program the autonomous response module (i) to merely make a suggested response to take to counter the cyber threat that will be presented a display screen and/or sent by a notice to an administrator for explicit authorization when the cyber threat is detected; and/or (ii) to autonomously take a response to counter the cyber threat without a need for a human to approve the response when the cyber threat is detected. The autonomous response module may then send a notice of the autonomous response as well as display the autonomous response taken on the display screen.

The cyber threat module may cooperate with the autonomous response module to cause one or more autonomous actions in response to be taken to counter the cyber threat, improves computing devices in the system by limiting an impact of the cyber threat from consuming unauthorized CPU cycles, memory space, and power consumption in the computing devices via responding to the cyber threat without waiting for some human intervention.

It should be understood that the cyber security appliance 120 may be hosted on any type and number of computing devices, servers, etc., and/or may be configured as its own cyber threat appliance platform, without limitations.

Referring now to FIG. 4 , an exemplary graph 500 of a generated example of a cyber threat-infested clone network is shown, in accordance with an embodiment of the disclosure. For example, the graph 500 may be used to illustrate an attack by a cyber threat in conjunction with trained AI models cooperating with AI classifiers in producing a list of specific organization-based classifiers for those AI classifiers.

As shown in FIG. 4 , initially, the cyber threat is unleashed in the clone network. The cyber threat may then initiate a specific attack on a specific user that activates, for example, a spoofed payload and thus executes on a device “n” (as shown with the focal and initial “Device n” in FIG. 4 ) in the organization. In some embodiments, the clone creator may be configured to cooperate with the analyzer module and communicate with the profile manager via one or more APIs hosted by the cyber security appliance. As described above, the profile manager module may be used to capture the graph 500, as the profile manager module is configured to maintain all of the profile tags on all of the devices and entities of the organization connecting to that depicted network under analysis. Furthermore, the network module may be used to capture the graph 500, as the network module is particularly used to cooperate with one or more network probes ingesting traffic data of, for example, the depicted network entities, devices, paths, and so on in the depicted network defense system. One or more particular profile tags may be maintained based on their behavior pattern data observed by using the ingested data from the email and/or network modules in conjunction with the trained AI models modelling the normal pattern of life for those entities, devices, paths, etc., depicted in that network defense system in order to obtain those depicted network connectivity and behavioral knowledge and patterns about each of those specific entities, devices, paths, etc., shown with the exemplary graph 500 in FIG. 4 .

Referring now to FIG. 5 , an exemplary graph 600 for depicting events and alerts triggered by various detected unusual network connectivity and behaviour pattern data in relation to their cyber-threat scores and detected event launch times is shown, in accordance with an embodiment of the disclosure. The graph 600 may depict a cluster of unusual behaviors detected and analyzed in an AI cyber security platform, where the cluster of detected unusual behaviors may include, but are not limited to, any detected unusual payload activations based on any email and network activity and/or data transfers as well as any other unusual behavior patterns. For example, the graph 600 may depict one or more different machine learning models (as described above) that are trained to analyze any detected unusual behavior patterns from the collected pattern of life data against the normal pattern of life from any collected data from any of the entities in the organization.

In some embodiments, the graph 600 may be provided as a user interface used to show a user the cluster of alerts and/or events associated with the variety of detected unusual email/network activity, data transfers, and behavior patterns, which may further include the respective detailed labels of the characteristics of such detected alerts and/or events. Note that, in these embodiments, the AI based cyber security system may utilize any of the AI models described above for any of its trained contextual knowledge of the organization which includes language-based data, email and network connectivity and behavior pattern data, and historic knowledgebase data.

In other examples, a behavioural pattern analysis of what are the unusual behaviours of the email/network/system/device/user under analysis by the machine learning models may be as follows. The cyber defence system uses unusual behaviour deviating from the normal behaviour and then builds a sequence of unusual behaviour and the causal links between that sequence of unusual behaviour to detect cyber threats as shown with the graph 600 in FIG. 5 . In additional embodiments, the unusual patterns may be determined by filtering out what activities/events/alerts that fall within the window of what is the normal pattern of life for that network/system/device/user under analysis, and then the pattern of the behaviour of the activities/events/alerts that are left, after the filtering, can be analysed to determine whether that pattern is indicative of a behaviour of a malicious actor—human, program, or other threat. Next, the cyber defence system can go back and pull in some of the filtered out normal activities to help support or refute a possible hypothesis of whether that pattern is indicative of a behaviour of a malicious actor. The analyser module can cooperate with one or more models trained on cyber threats and their behaviour to try to determine if a potential cyber threat is causing these unusual behaviours. If the pattern of behaviours under analysis is believed to be indicative of a malicious actor, then a score of how confident is the system in this assessment of identifying whether the unusual pattern was caused by a malicious actor is created. Next, also assigned is a threat level score or probability indicative of what level of threat does this malicious actor pose. Lastly, the cyber defence system is configurable in a user interface, by a user, enabling what type of automatic response actions, if any, the cyber defence system may take when different types of cyber threats, indicated by the pattern of behaviours under analysis, that are equal to or above a configurable level of threat posed by this malicious actor.

The AI models may perform by the threat detection through a probabilistic change in a normal behaviour through the application of an unsupervised Bayesian mathematical model to detect behavioural change in computers and computer networks. The core threat detection system is termed the ‘Bayesian probabilistic’. The BP approach can determine periodicity in multiple time series data and identify changes across single and multiple time series data for the purpose of anomalous behaviour detection. From the email and potentially IT network raw sources of data, a large number of metrics can be derived each producing time series data for the given metric.

The detectors in the analyser module including its network module (simulator can get extract meta data from network module) and email module components can be discrete mathematical models that implement a specific mathematical method against different sets of variables with the target. Thus, each model is specifically targeted on the pattern of life of alerts and/or events coming from, for example, i) that cyber security analysis tool analysing various aspects of the emails, iii) coming from specific devices and/or users within a system, etc. At its core, the cyber security appliance may mathematically characterize what constitutes ‘normal’ behaviour in line with the normal pattern of life for that entity and organization based on the analysis of a large number/set of different measures of a device's network behaviour. Such appliance can build a sophisticated ‘pattern of life’— that understands what represents normality for every person, device, entity, email activity, and network activity in the system being protected by the cyber threat defense system. For example, the analyzer module may rank supported candidate cyber threat hypotheses by a combo of likelihood that this candidate cyber threat hypothesis is supported and a severity threat level of this incident type.

In addition, the correlation of the reporting and formatting modules may be configured to generate the report (or the graphs) with the identified critical devices of the network under analysis that should have the priority to allocate security resources to them, along with one or more portions of the constructed graph. The formatting module may have an autonomous email-report composer that cooperates with the various AI models and modules of the AI based cyber security system as well as at least a set of one or more libraries of sets of contextual text, objects, and visual representations to populate on templates of pages in the email threat report based on any of the training and/or simulated attacking scenarios observed. The autonomous email-report composer can compose an email threat report on cyber threats that is composed in a human-readable format with natural language prose, terminology, and level of detail on the cyber threats aimed at a target audience being able to understand the terminology and the detail. Such modules and AI models may cooperate with the autonomous email-report composer to indicate in the email threat report, for example, an email attack's purpose and/or targeted group (such as members of the finance team, or high-level employees).

The formatting module may format, present a rank for, and output the current email threat report, from a template of a plurality of report templates, that is outputted for a human user's consumption in a medium of, any of 1) a printable report, 2) presented digitally on a user interface, 3) in a machine readable format for further use in machine-learning reinforcement and refinement, and 4) any combination of the three. The system may use at least three separate machine learning models or any particular number of separate AI machine learning models. For example, a machine learning model may be trained on specific aspects of the normal pattern of life for entities in the system, such as devices, users, email/network traffic flow, outputs from one or more cyber security analysis tools analysing the system, etc. One or more machine learning models may also be trained on characteristics and aspects of all manner of types of cyber threats. One or more machine learning models may also be trained on composing email threat reports.

This AI cyber security system within an instance of the reference or cloned environments may therefore be built and trained to have a sophisticated ‘pattern of life’— that understands what represents normality for every person, device, and network activity associated with any of the users and/or entities in such system being protected by such AI cyber threat security system.

The AI cyber security system within an instance of the reference or cloned environments may have the ability to self-learn and detect normality in order to spot true anomalies, allowing organizations of all sizes to understand any unusual behaviors of users, machines, tokens (or symbols, process chains, etc.), and so on, observed within any respective and discrete host device(s) and network(s) at both an individual and group level. Monitoring behaviors, rather than using predefined descriptive objects and/or signatures, means that more attacks may be spotted ahead of time and extremely subtle indicators of wrongdoing may be detected. Unlike traditional legacy defenses, a specific attack type or new malware does not have to have been seen first before it may be detected. A behavioral defense approach mathematically models both machine and human activity behaviorally, at and after the point of compromise, in order to predict and catch today's increasingly sophisticated cyber-attack vectors. It is thus possible to computationally establish what is normal, in order to then detect what is abnormal.

This AI cyber security system within an instance of the reference or cloned environments may thus be capable of making value judgments and carrying out higher value, more thoughtful tasks. Machine learning requires complex algorithms to be devised and an overarching framework to interpret the results produced. However, when applied correctly these approaches may facilitate machines to make logical, probability-based decisions and undertake thoughtful tasks.

Advanced machine-learning is at the forefront of the fight against automated and human-driven cyber-threats, overcoming the limitations of rules and signature-based approaches: (i) The machine-learning learns what is normal within a network—it does not depend upon knowledge of previous attacks. (ii) The machine-learning thrives on the scale, complexity and diversity of modern businesses, where every device and person is slightly different. (iii) The machine-learning turns the innovation of attackers against them—any unusual activity is visible. (iv) The machine-learning constantly revisits assumptions about behavior, using probabilistic mathematics. (v) The machine-learning is always up to date and not reliant on human input.

Utilizing machine-learning in cyber security technology is difficult, but when correctly implemented it is extremely powerful. The machine-learning means that previously unidentified threats may be detected, even when their manifestations fail to trigger any rule set or signature. Instead, machine-learning allows the system to analyze large sets of data and learn a ‘pattern of life’ for what it sees. Machine learning may approximate some human capabilities to machines, such as: (i) thought: it uses past information and insights to form its judgments; (ii) real time: the system processes information as it goes; and (iii) self-improving: the model's machine-learning understanding is constantly being challenged and adapted, based on new information. New unsupervised machine-learning therefore allows computers to recognize evolving threats, without prior warning or supervision.

Note that, in other embodiments, one or more other detectors and data analysis process may be employed as detailed below, without limitations.

Unsupervised Machine Learning

Unsupervised learning works things out without pre-defined labels. In the case of sorting the series of different animals, the system analyzes the information and works out the different classes of animals. This allows the system to handle the unexpected and embrace uncertainty. The system does not always know what it is looking for, but may independently classify data and detect compelling patterns.

The cyber threat defense system's unsupervised machine learning methods do not require training data with pre-defined labels. Instead, they are able to identify key patterns and trends in the data, without the need for human input. The advantage of unsupervised learning is that it allows computers to go beyond what their programmers already know and discover previously unknown relationships.

The cyber threat defense system uses unique implementations of unsupervised machine learning algorithms to analyze network data at scale, intelligently handle the unexpected, and embrace uncertainty. Instead of relying on knowledge of past threats to be able to know what to look for, it is able to independently classify data and detect compelling patterns that define what may be considered to be normal behavior. Any new behaviors that deviate from those, which constitute this notion of ‘normality,’ may indicate threat or compromise. The impact of the cyber threat defense system's unsupervised machine learning on cyber security is transformative: (i) Threats from within, which would otherwise go undetected, may be spotted, highlighted, contextually prioritized and isolated using these algorithms. (ii) The application of machine learning has the potential to provide total network visibility and far greater detection levels, ensuring that networks have an internal defense mechanism. (iii) Machine learning has the capability to learn when to action automatic responses against the most serious cyber threats, disrupting in progress attacks before they become a crisis for the organization.

This new mathematics not only identifies meaningful relationships within data, but also quantifies the uncertainty associated with such inference. By knowing and understanding this uncertainty, it becomes possible to bring together many results within a consistent framework—the basis of Bayesian probabilistic analysis. The mathematics behind machine learning is extremely complex and difficult to get right. Robust, dependable algorithms are developed, with a scalability that enables their successful application to real-world environments.

Overview

In an embodiment, a closer look at the cyber threat defense system's machine learning algorithms and approaches is as follows.

The cyber threat defense system's probabilistic approach to cyber security is based on a Bayesian framework. This allows it to integrate a huge number of weak indicators of potentially anomalous network behavior to produce a single clear measure of how likely a network device is to be compromised. This probabilistic mathematical approach provides an ability to understand important information, amid the noise of the network—even when it does not know what it is looking for.

Ranking Threats

Crucially, the cyber threat defense system's approach accounts for the inevitable ambiguities that exist in data and distinguishes between the subtly differing levels of evidence that different pieces of data may contain. Instead of generating the simple binary outputs ‘malicious’ or ‘benign,’ the cyber threat defense system's mathematical algorithms produce outputs that indicate differing degrees of potential compromise. This output enables users of the system to rank different alerts in a rigorous manner and prioritize those that most urgently require action, simultaneously removing the problem of numerous false positives associated with a rule-based approach.

At its core, the cyber threat defense system mathematically characterizes what constitutes ‘normal’ behavior based on the analysis of a large number/set of different measures of a devices network behavior, examples include at least one or more of: server access; data access; timings of events; credential use; DNS requests; and/or any other similar parameters. Each measure of network behavior is then monitored in real time to detect anomalous behaviors.

Clustering

To be able to properly model what should be considered as normal for a device, its behavior must be analyzed in the context of other similar devices on the network. To accomplish this, the cyber threat defense system leverages the power of unsupervised learning to algorithmically identify naturally occurring groupings of devices, a task which is impossible to do manually on even modestly sized networks.

In order to achieve as holistic a view of the relationships within the network as possible, the cyber threat defense system simultaneously employs a number of different clustering methods including matrix based clustering, density based clustering and hierarchical clustering techniques. The resulting clusters are then used to inform the modeling of the normative behaviors of individual devices. At a glance, clustering: (i) Analyzes behavior in the context of other similar devices on the network; (ii) Algorithms identify naturally occurring groupings of devices—impossible to do manually; and (iii) Simultaneously runs a number of different clustering methods to inform the models.

Network Topology

Any cyber threat detection system must also recognize that a network is far more than the sum of its individual parts, with much of its meaning contained in the relationships among its different entities, and that complex threats may often induce subtle changes in this network structure. To capture such threats, the cyber threat defense system employs several different mathematical methods in order to be able to model multiple facets of a networks topology.

One approach is based on iterative matrix methods that reveal important connectivity structures within the network. In tandem with these, the cyber threat defense system has developed innovative applications of models from the field of statistical physics, which allow the modeling of a network's ‘energy landscape’ to reveal anomalous substructures that may be concealed within.

Network Structure

A further important challenge in modeling the behaviors of network devices, as well as of networks themselves, is the high-dimensional structure of the problem with the existence of a huge number of potential predictor variables. Observing packet traffic and host activity within an enterprise LAN, WAN and Cloud is difficult because both input and output may contain many inter-related features (protocols, source and destination machines, log changes and rule triggers, etc.). Learning a sparse and consistent structured predictive function is crucial to avoid the curse of over fitting.

In this context, the cyber threat defense system has employed a cutting edge large-scale computational approach to learn sparse structure in models of network behavior and connectivity based on applying L1-regularization techniques (e.g. a lasso method). This allows for the discovery of true associations between different network components and events that may be cast as efficiently solvable convex optimization problems and yield parsimonious models.

Recursive Bayesian Estimation

To combine these multiple analyses of different measures of network behavior to generate a single comprehensive picture of the state of each device, the cyber threat defense system takes advantage of the power of Recursive Bayesian Estimation (RBE) via an implementation of the Bayes filter.

Using RBE, the cyber threat defense system's mathematical models are able to constantly adapt themselves, in a computationally efficient manner, as new information becomes available to the system. They continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors where conventional signature-based methods fall down.

The cyber threat defense system's innovative approach to cyber security has pioneered the use of Bayesian methods for tracking changing device behaviors and computer network structures. The core of the cyber threat defense system's mathematical modeling is the determination of normative behavior, enabled by a sophisticated software platform that allows for its mathematical models to be applied to new network data in real time. The result is a system that is able to identify subtle variations in machine events within a computer networks behavioral history that may indicate cyber-threat or compromise.

The cyber threat defense system uses mathematical analysis and machine learning to detect potential threats, allowing the system to stay ahead of evolving risks. The cyber threat defense system approach means that detection no longer depends on an archive of previous attacks. Instead, attacks may be spotted against the background understanding of what represents normality within a network. No pre-definitions are needed, which allows for the best possible insight and defense against today's threats. On top of the detection capability, the cyber threat defense system may create digital antibodies automatically, as an immediate response to the most threatening cyber breaches. The cyber threat defense system approach both detects and defends against cyber threat. Genuine unsupervised machine learning eliminates the dependence on signature-based approaches to cyber security, which are not working. The cyber threat defense system's technology may become a vital tool for security teams attempting to understand the scale of their network, observe levels of activity, and detect areas of potential weakness. These no longer need to be manually sought out, but are flagged by the automated system and ranked in terms of their significance.

Machine learning technology is the fundamental ally in the defense of systems from the hackers and insider threats of today, and in formulating response to unknown methods of cyber-attack. It is a momentous step change in cyber security. Defense must start within. As such, the threat detection system that has been discussed above therefore implements a propriety form of recursive Bayesian estimation to maintain a distribution over the probability state variable. This distribution is built from the complex set of low-level host, network and traffic observations or ‘features’. These features are recorded iteratively and processed in real time on the platform. A plausible representation of the relational information among entities in dynamic systems in general, such as an enterprise network, a living cell or a social community, or indeed the entire internet, is a stochastic network, which is topological rewiring and semantically evolving over time. In many high-dimensional structured I/O problems, such as the observation of packet traffic and host activity within a distributed digital enterprise, where both input and output may contain tens of thousands, sometimes even millions of interrelated features (data transport, host-web-client dialogue, log change and rule trigger, etc.), learning a sparse and consistent structured predictive function is challenged by a lack of normal distribution. To overcome this, the threat detection system consists of a data structure that decides on a rolling continuum rather than a stepwise method in which recurring time cycles such as the working day, shift patterns and other routines are dynamically assigned. Thus, providing a non-frequentist architecture for inferring and testing causal links between explanatory variables, observations and feature sets. This permits an efficiently solvable convex optimization problem and yield parsimonious models. In such an arrangement, the threat detection processing may be triggered by the input of new data. Alternatively, the threat detection processing may be triggered by the absence of expected data. In some arrangements, the processing may be triggered by the presence of a particular actionable event.

The method and system are arranged to be performed by one or more processing components with any portions of software stored in an executable format on a computer readable medium. The computer readable medium may be non-transitory and does not include radio or other carrier waves. The computer readable medium could be, for example, a physical computer readable medium such as semiconductor or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disc, and an optical disk, such as a CD-ROM, CD-R/W or DVD.

The various methods described above may be implemented by a computer program product. The computer program product may include computer code arranged to instruct a computer to perform the functions of one or more of the various methods described above. The computer program and/or the code for performing such methods may be provided to an apparatus, such as a computer, on a computer readable medium or computer program product. For the computer program product, a transitory computer readable medium may include radio or other carrier waves.

An apparatus such as a computer may be configured in accordance with such code to perform one or more processes in accordance with the various methods discussed herein.

Web Site

The web site is configured as a browser-based tool or direct cooperating app tool for configuring, analyzing, and communicating with the cyber threat defense system.

Network

A number of electronic systems and devices may communicate with each other in a network environment. The network environment has a communications network. The network may include one or more networks selected from an optical network, a cellular network, the Internet, a Local Area Network (“LAN”), a Wide Area Network (“WAN”), a satellite network, a 3^(rd) party ‘cloud’ environment; a fiber network, a cable network, and combinations thereof. In some embodiments, the communications network is the Internet. There may be many server computing systems and many client computing systems connected to each other via the communications network.

The communications network may connect one or more server computing systems selected from at least a first server computing system and a second server computing system to each other and to at least one or more client computing systems as well. The server computing systems may each optionally include organized data structures such as databases. Each of the one or more server computing systems may have one or more virtual server computing systems, and multiple virtual server computing systems may be implemented by design. Each of the one or more server computing systems may have one or more firewalls and similar defenses to protect data integrity.

At least one or more client computing systems for example, a mobile computing device (e.g., smartphone with an Android-based operating system may communicate with the server(s). The client computing system may include, for example, the software application or the hardware-based system in which the client computing system may be able to exchange communications with the first electric personal transport vehicle, and/or the second electric personal transport vehicle. Each of the one or more client computing systems may have one or more firewalls and similar defenses to protect data integrity.

A cloud provider platform may include one or more of the server computing systems. A cloud provider may install and operate application software in a cloud (e.g., the network such as the Internet) and cloud users may access the application software from one or more of the client computing systems. Generally, cloud users that have a cloud-based site in the cloud may not solely manage a cloud infrastructure or platform where the application software runs. Thus, the server computing systems and organized data structures thereof may be shared resources, where each cloud user is given a certain amount of dedicated use of the shared resources. Each cloud user's cloud-based site may be given a virtual amount of dedicated space and bandwidth in the cloud. Cloud applications may be different from other applications in their scalability, which may be achieved by cloning tasks onto multiple virtual machines at run-time to meet changing work demand. Load balancers distribute the work over the set of virtual machines. This process is transparent to the cloud user, who sees only a single access point.

Cloud-based remote access may be configured to utilize a protocol, such as Hypertext Transfer Protocol (“HTTP”), to engage in a request and response cycle with an application on a client computing system such as a web-browser application resident on the client computing system. The cloud-based remote access may be accessed by a smartphone, a desktop computer, a tablet, or any other client computing systems, anytime and/or anywhere. The cloud-based remote access is configured to engage in 1) the request and response cycle from all web browser based applications, 3) the request and response cycle from a dedicated on-line server, 4) the request and response cycle directly between a native application resident on a client device and the cloud-based remote access to another client computing system, and 5) combinations of these.

In an embodiment, the server computing system may include a server engine, a web page management component, a content management component, and a database management component. The server engine may perform basic processing and operating-system level tasks. The web page management component may handle creation and display, or routing of web pages or screens associated with receiving and providing digital content and digital advertisements. Users (e.g., cloud users) may access one or more of the server computing systems by means of a Uniform Resource Locator (“URL”) associated therewith. The content management component may handle most of the functions in the embodiments described herein. The database management component may include storage and retrieval tasks with respect to the database, queries to the database, and storage of data.

In some embodiments, a server computing system may be configured to display information in a window, a web page, or the like. An application including any program modules, applications, services, processes, and other similar software executable when executed on, for example, the server computing system, may cause the server computing system to display windows and user interface screens in a portion of a display screen space. With respect to a web page, for example, a user via a browser on the client computing system may interact with the web page, and then supply input to the query/fields and/or service presented by the user interface screens. The web page may be served by a web server, for example, the server computing system, on any Hypertext Markup Language (“HTML”) or Wireless Access Protocol (“WAP”) enabled client computing system or any equivalent thereof. The client computing system may host a browser and/or a specific application to interact with the server computing system. Each application has a code scripted to perform the functions that the software component is configured to carry out such as presenting fields to take details of desired information. Algorithms, routines, and engines within, for example, the server computing system may take the information from the presenting fields and put that information into an appropriate storage medium such as a database (e.g., database). A comparison wizard may be scripted to refer to a database and make use of such data. The applications may be hosted on, for example, the server computing system and served to the specific application or browser of, for example, the client computing system. The applications then serve windows or pages that allow entry of details.

The cyber security appliance 100 can use a Recursive Bayesian Estimation. To combine these multiple analyzes of different measures of network behavior to generate a single overall/comprehensive picture of the state of each device, the cyber security appliance 100 takes advantage of the power of Recursive Bayesian Estimation (RBE) via an implementation of the Bayes filter.

Using RBE, the cyber security appliance 100's AI models are able to constantly adapt themselves, in a computationally efficient manner, as new information becomes available to the system. The cyber security appliance 100's AI models continually recalculate threat levels in the light of new evidence, identifying changing attack behaviors where conventional signature based methods fall down.

Training a model can be accomplished by having the model learn good values for all of the weights and the bias for labeled examples created by the system, and in this case; starting with no labels initially. A goal of the training of the model can be to find a set of weights and biases that have low loss, on average, across all examples.

An anomaly detection technique that can be used is supervised anomaly detection that requires a data set that has been labeled as “normal” and “abnormal” and involves training a classifier. Another anomaly detection technique that can be used is an unsupervised anomaly detection that detects anomalies in an unlabeled test data set under the assumption that the majority of the instances in the data set are normal, by looking for instances that seem to fit least to the remainder of the data set. The model representing normal behavior from a given normal training data set can detect anomalies by establishing the normal pattern and then test the likelihood of a test instance under analysis to be generated by the model. Anomaly detection can identify rare items, events or observations which raise suspicions by differing significantly from the majority of the data, which includes rare objects as well as things like unexpected bursts in activity.

The method and system are arranged to be performed by one or more processing components with any portions of software stored in an executable format on a computer readable medium. Thus, any portions of the method, apparatus and system implemented as software can be stored in one or more non-transitory memory storage devices in an executable format to be executed by one or more processors. The computer readable medium may be non-transitory and does not include radio or other carrier waves. The computer readable medium could be, for example, a physical computer readable medium such as semiconductor memory or solid state memory, magnetic tape, a removable computer diskette, a random access memory (RAM), a read-only memory (ROM), a rigid magnetic disc, and an optical disk, such as a CD-ROM, CD-R/W or DVD.

The various methods described above may be implemented by a computer program product. The computer program product may include computer code arranged to instruct a computer to perform the functions of one or more of the various methods described above. The computer program and/or the code for performing such methods may be provided to an apparatus, such as a computer, on a computer readable medium or computer program product. For the computer program product, a transitory computer readable medium may include radio or other carrier waves.

A computing system can be, wholly or partially, part of one or more of the server or client computing devices in accordance with some embodiments. Components of the computing system can include, but are not limited to, a processing unit having one or more processing cores, a system memory, and a system bus that couples various system components including the system memory to the processing unit.

Computing Devices

FIG. 6 illustrates a block diagram of an embodiment of one or more computing devices that can be a part of the AI based cyber security system for an embodiment of the current design discussed herein.

The computing device may include one or more processors or processing units 620 to execute instructions, one or more memories 630-632 to store information, one or more data input components 660-663 to receive data input from a user of the computing device 600, one or more modules that include the management module, a network interface communication circuit 670 to establish a communication link to communicate with other computing devices external to the computing device, one or more sensors where an output from the sensors is used for sensing a specific triggering condition and then correspondingly generating one or more preprogrammed actions, a display screen 691 to display at least some of the information stored in the one or more memories 630-632 and other components. Note, portions of this design implemented in software 644, 645, 646 are stored in the one or more memories 630-632 and are executed by the one or more processors 620. The processing unit 620 may have one or more processing cores, which couples to a system bus 621 that couples various system components including the system memory 630. The system bus 621 may be any of several types of bus structures selected from a memory bus, an interconnect fabric, a peripheral bus, and a local bus using any of a variety of bus architectures.

Computing device 602 typically includes a variety of computing machine-readable media. Machine-readable media can be any available media that can be accessed by computing device 602 and includes both volatile and nonvolatile media, and removable and non-removable media. By way of example, and not limitation, computing machine-readable media use includes storage of information, such as computer-readable instructions, data structures, other executable software, or other data. Computer-storage media includes, but is not limited to, RAM, ROM, EEPROM, flash memory or other memory technology, CD-ROM, digital versatile disks (DVD) or other optical disk storage, magnetic cassettes, magnetic tape, magnetic disk storage or other magnetic storage devices, or any other tangible medium which can be used to store the desired information and which can be accessed by the computing device 602. Transitory media such as wireless channels are not included in the machine-readable media. Machine-readable media typically embody computer readable instructions, data structures, and other executable software.

In an example, a volatile memory drive 641 is illustrated for storing portions of the operating system 644, application programs 645, other executable software 646, and program data 647.

A user may enter commands and information into the computing device 602 through input devices such as a keyboard, touchscreen, or software or hardware input buttons 662, a microphone 663, a pointing device and/or scrolling input component, such as a mouse, trackball or touch pad 661. The microphone 663 can cooperate with speech recognition software. These and other input devices are often connected to the processing unit 620 through a user input interface 660 that is coupled to the system bus 621, but can be connected by other interface and bus structures, such as a lighting port, game port, or a universal serial bus (USB). A display monitor 691 or other type of display screen device is also connected to the system bus 621 via an interface, such as a display interface 690. In addition to the monitor 691, computing devices may also include other peripheral output devices such as speakers 697, a vibration device 699, and other output devices, which may be connected through an output peripheral interface 695.

The computing device 602 can operate in a networked environment using logical connections to one or more remote computers/client devices, such as a remote computing system 680. The remote computing system 680 can a personal computer, a mobile computing device, a server, a router, a network PC, a peer device or other common network node, and typically includes many or all of the elements described above relative to the computing device 602. The logical connections can include a personal area network (PAN) 672 (e.g., Bluetooth®), a local area network (LAN) 671 (e.g., Wi-Fi), and a wide area network (WAN) 673 (e.g., cellular network). Such networking environments are commonplace in offices, enterprise-wide computer networks, intranets and the Internet. A browser application and/or one or more local apps may be resident on the computing device and stored in the memory.

When used in a LAN networking environment, the computing device 602 is connected to the LAN 671 through a network interface 670, which can be, for example, a Bluetooth® or Wi-Fi adapter. When used in a WAN networking environment (e.g., Internet), the computing device 602 typically includes some means for establishing communications over the WAN 673. With respect to mobile telecommunication technologies, for example, a radio interface, which can be internal or external, can be connected to the system bus 621 via the network interface 670, or other appropriate mechanism. In a networked environment, other software depicted relative to the computing device 602, or portions thereof, may be stored in the remote memory storage device. By way of example, and not limitation, remote application programs 685 as reside on remote computing device 680. It will be appreciated that the network connections shown are examples and other means of establishing a communications link between the computing devices that may be used.

FIG. 7 illustrates a block diagram of creating a reference environment, in accordance with some embodiments. In particular, FIG. 7 illustrates the initial creation of a ‘reference’ environment suitable for supporting rapid repeatable testing of the unsupervised machine learning algorithms of the cyber security system. The reference environment is an ongoing example of a network in which nothing malicious has occurred but lots of ‘normal’ activities take place.

FIG. 8 illustrates a block diagram of infecting a clone network by a cyber-threat, in accordance with some embodiments. As noted above, the clone creator can clone the entire environment and let it run, while the reference network is operating uninterrupted. It is worth mentioning that several clone networks can run simultaneously with the reference network, while the each clone network is being used to evaluate a particular cyber-threat. Once the clone creator runs a scripted cyber-threat in a clone network, the clone creator can monitor and record each event that occurs in the infected clone network. The recorded events c be used by a separate module to simulate possible paths the cyber-threat can propagate with a defensive action taken by the clone network at any stage of the cyber-threat. While the cyber-threats can be actual cyber-attacks that have already happened or are happening, the cyber-threats can involve fake “external” cyber-threats. Once the outcomes of the cyber-threat are examined, the clone creator can discard the clone network completely.

FIG. 9 illustrates a block diagram of updating the reference network based on a clone network with potential changes to a cyber security appliance, its machine learning algorithms, a set of devices and traffic data in accordance with an embodiment of the disclosure. This diagram shows how the ‘reference’ environment can be safely changed over time when all updates and changes carry a risk of mistakes or errors that would introduce unwanted training data to its unsupervised machine learning algorithms. An (identical) clone is created and changed in the manner wanted and tested to confirm there are no unwanted affects. This clone then becomes the designated ‘reference’ instance and the previous one can be discarded.

Note, an application described herein includes but is not limited to software applications, mobile applications, and programs that are part of an operating system application. Some portions of this description are presented in terms of algorithms and symbolic representations of operations on data bits within a computer memory. These algorithmic descriptions and representations are the means used by those skilled in the data processing arts to most effectively convey the substance of their work to others skilled in the art. An algorithm is here, and generally, conceived to be a self-consistent sequence of steps leading to a desired result. The steps are those requiring physical manipulations of physical quantities. Usually, though not necessarily, these quantities take the form of electrical or magnetic signals capable of being stored, transferred, combined, compared, and otherwise manipulated. It has proven convenient at times, principally for reasons of common usage, to refer to these signals as bits, values, elements, symbols, characters, terms, numbers, or the like. These algorithms can be written in a number of different software programming languages such as Python, C, C++, Java, HTTP, or other similar languages. Also, an algorithm can be implemented with lines of code in software, configured logic gates in hardware, or a combination of both. In an embodiment, the logic consists of electronic circuits that follow the rules of Boolean Logic, software that contain patterns of instructions, or any combination of both. A module may be implemented in hardware electronic components, software components, and a combination of both.

Generally, an application includes programs, routines, objects, widgets, plug-ins, and other similar structures that perform particular tasks or implement particular abstract data types. Those skilled in the art can implement the description and/or figures herein as computer-executable instructions, which can be embodied on any form of computing machine-readable media discussed herein.

Many functions performed by electronic hardware components can be duplicated by software emulation. Thus, a software program written to accomplish those same functions can emulate the functionality of the hardware components in input-output circuitry.

Unless specifically stated otherwise as apparent from the above discussions, it is appreciated that throughout the description, discussions utilizing terms such as “processing” or “computing” or “calculating” or “determining” or “displaying” or the like, refer to the action and processes of a computer system, or similar electronic computing device, that manipulates and transforms data represented as physical (electronic) quantities within the computer system's registers and memories into other data similarly represented as physical quantities within the computer system memories or registers, or other such information storage, transmission or display devices.

While the foregoing design and embodiments thereof have been provided in considerable detail, it is not the intention of the applicant(s) for the design and embodiments provided herein to be limiting. Additional adaptations and/or modifications are possible, and, in broader aspects, these adaptations and/or modifications are also encompassed. Accordingly, departures may be made from the foregoing design and embodiments without departing from the scope afforded by the following claims, which scope is only limited by the claims when appropriately construed. 

What is claimed is:
 1. An apparatus, comprising: a clone creator configured to 1) create a clone of one or more machine learning architectures and their corresponding one or more machine learning algorithms from a reference cyber security appliance, wherein the reference cyber security appliance includes one or more architectures using the one or more machine learning algorithms that continue to update weights applied to its machine learning during a deployment of that machine learning architecture; 2) create a clone network from the reference network in operation, wherein the reference network includes a set of devices, a set of user accounts, and a set of IP packet traffic, and the clone network includes a set of devices corresponding to the set of devices in the reference network, and copies of the set of user accounts and the set of IP packet traffic; 3) create a clone cyber security appliance from the reference cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms and machine learning architectures from the reference cyber security appliance, and 4) test out one or more cyber-attacks on the clone network, which is being protected by the clone cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms by injecting one or more cyber-attacks into the clone network, wherein the reference network including its devices, user accounts, and IP packet traffic will not be affected by the one or more cyber-attacks that will be unleashed on the clone network, wherein the clone network is created in a virtual machine environment; and a user interface configured to cooperate with the clone creator to convey results of the one or more cyber-attacks on the clone network and analysis by the clone cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms recorded during the one or more cyber-attacks.
 2. The apparatus of claim 1, wherein the clone creator is configured to make the clone from the reference network including the set of devices, the set of user accounts, and the set of IP packet traffic, by taking a first snapshot of a disk image including a memory and settings of the set of devices and the set of user accounts being cloned and then store the clone of the reference network in a data store.
 3. The apparatus of claim 1, wherein the clone creator is further configured to make the clone from the reference cyber security appliance, that has the one or more machine learning architectures using the one or more machine learning algorithms, by taking a second snapshot of a disk image including a memory and settings including its machine learning weights of the one or more machine learning architectures and then store the clone of the reference security appliance in a data store.
 4. The apparatus of claim 1, wherein the clone creator is further configured to set up one or more sandbox environments, wherein each sandbox environment is populated with one or more virtual machines to implement the clone network, including the set of devices, the set of user accounts, the set of IP packet traffic, and a virtual machine configured to implement a reference copy of the cyber security appliance and the one or more machine learning architectures.
 5. The apparatus of claim 4, further comprising: a cyber threat creator, wherein the cyber threat creator is configured to unleash an actual cyber threat attack on the clone network, including the set of devices, the set of user accounts and the set of IP packet traffic.
 6. The apparatus of claim 5, wherein the actual cyber threat is implemented by the one or more virtual machines, which is being protected by the copy of the cyber security appliance and the one or more machine learning architectures.
 7. The apparatus of claim 1, further comprising: a user interface and a data management module in the clone creator, wherein the clone creator, the cyber threat creator and the data management module cooperate with a data store and the user interface to record events in the clone cyber security appliance and the clone network.
 8. The apparatus of claim 7, wherein the recorded events include lateral movement indicative of possible activity and the set of devices and the set of user accounts compromised during the actual cyber threat attack in the clone network and actions taken by the clone cyber security appliance to detect the actual cyber threat attack on the clone network, and actions taken by the reference cyber security appliance to mitigate the actual cyber threat attack.
 9. The apparatus of claim 8, the user interface is further configured to display, on a display screen, the recorded events to a user and allow a user to watch and observe what is happening in the clone cyber security appliance and the clone network.
 10. The apparatus of claim 1, wherein the actual cyber threat is not applied to the reference network, so the reference network and the reference cyber security appliance remain clean and untainted by the actual cyber threat attack.
 11. A method for automated cloning, comprising: configuring a clone creator to 1) create a clone of one or more machine learning architectures and their corresponding one or more machine learning algorithms from a reference cyber security appliance, wherein the reference cyber security appliance includes one or more architectures using the one or more machine learning algorithms that continue to update weights applied to its machine learning during a deployment of that machine learning architecture; 2) create a clone network from the reference network in operation, wherein the reference network includes a set of devices, a set of user accounts, and a set of IP packet traffic, and the clone network includes a set of devices corresponding to the set of devices in the reference network, and copies of the set of user accounts and the set of IP packet traffic; 3) create a clone cyber security appliance from the reference cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms and machine learning architectures from the reference cyber security appliance, and 4) test out one or more cyber-attacks on the clone network, which is being protected by the clone cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms by injecting one or more cyber-attacks into the clone network, wherein the reference network including its devices, user accounts, and IP packet traffic will not be affected by the one or more cyber-attacks that will be unleashed on the clone network, wherein the clone network is created in a virtual machine environment; and configuring aa user interface to cooperate with the clone creator to convey results of the one or more cyber-attacks on the clone network and analysis by the clone cyber security appliance including the one or more machine learning architectures using the one or more machine learning algorithms recorded during the one or more cyber-attacks.
 12. The method of claim 11, further comprising: configuring the clone creator to make the clone from the reference network including the set of devices, the set of user accounts, and the set of IP packet traffic, by taking a first snapshot of a disk image including a memory and settings of the set of devices and the set of user accounts being cloned and then store the clone of the reference network in a data store.
 13. The method of claim 11, further comprising: configuring the clone creator to make the clone from the reference cyber security appliance, that has the one or more machine learning architectures using the one or more machine learning algorithms, by taking a second snapshot of a disk image including a memory and settings including its machine learning weights of the one or more machine learning architectures and then store the clone of the reference security appliance in a data store.
 14. The method of claim 11, further comprising: configuring the clone creator to set up one or more sandbox environments, wherein each sandbox environment is populated with one or more virtual machines to implement the clone network, including the set of devices, the set of user accounts, the et of IP packet traffic, and a virtual machine configured to implement a reference copy of the cyber security appliance and the one or more machine learning architectures.
 15. The method of claim 14, further comprising: configuring a cyber threat creator to unleash an actual cyber threat attack on the clone network, including the set of devices, the set of user accounts and the set of IP packet traffic, wherein the actual cyber threat is implemented by the one or more virtual machines, which is being protected by the copy of the cyber security appliance and the one or more machine learning architectures.
 16. The method of claim 11, further comprising: configuring a user interface and a data management module in the clone creator, wherein the clone creator, the cyber threat creator and the data management module cooperate with a data store and the user interface to record events in the clone cyber security appliance and the clone network.
 17. The method of claim 16, wherein the recorded events include lateral movement indicative of possible activity and the set of devices and the set of user accounts compromised during the actual cyber threat attack in the clone network and actions taken by the clone cyber security appliance to detect the actual cyber threat attack on the clone network, and actions taken by the reference cyber security appliance to mitigate the actual cyber threat attack.
 18. The method of claim 17, further comprising: configuring the user interface to display, on a display screen, the recorded events to a user and allow a user to watch and observe what is happening in the clone cyber security appliance and the clone network.
 19. The method of claim 11, wherein the reference network and the reference cyber security appliance use the one or more machine learning architectures to protect the reference network remain clean and untainted by the actual cyber threat attack on the clone network.
 20. A non-transitory computer readable medium in an apparatus, comprising: one or more computer readable codes operable, when executed by one or more processors, to instruct a clone creator configured to perform the method of claim
 11. 